Ransomware Source in Finalsite Attack Identified as School Websites Functioning Again

School website provider Finalsite said Monday that its cyber-investigation of last week's ransomware attack has identified the threat actor and that the 3,000 school websites offline for most of last week are now back online and functioning.

Thousands of K–12 schools and universities whose websites are hosted by Finalsite were affected by the outage starting on Tuesday, Jan. 4, though the reason for the outage was not disclosed until Thursday afternoon. As of noon Monday, all the websites were back online and most functions working, the company said, with a few remaining functions such as the file manager and integrations still being restored.

Finalsite Director of Communications Morgan Delack said Monday that company officials “were not able to quickly share the details of the why” in an effort to protect the investigation, and she added that while clients were notified of the outage later that day, “we should have sent communication to all our clients the moment the websites went down universally.”

“We should have done better” in that regard, Delack said. “We have been listening to the needs of our clients and (doing everything possible to) help make it as easy to recover from this as possible.”

With help from cybersecurity forensic investigators from Charles River Associates, Finalsite “has determined who the threat actor is, we have contained their activity, and we know how they gained access and when they gained access,” Delack said today. The investigation includes assistance from data privacy attorneys at Mullen Coughlin LLC, she said.

“We have found absolutely no evidence that client data has been compromised or extracted,” Delack added. “The remainder of the investigation is to confirm these findings and ensure compliance” with cybersecurity laws and best practices.

Delack said Friday that the company had full access to its files and data throughout the incident and a forensic investigation was under way. “We have no evidence that our data or client data has been taken.” Finalsite also noted that its database information on client schools is limited to names and email addresses and said the company does not store payment information, academic records, Social Security numbers or other personal information.

“It's important to note that the malware is not what took our sites offline,” Delack emphasized again on Monday. “We did so proactively — and immediately — upon learning of the issue in order to protect our data. The reconnection of our websites is taking so long because we had to rebuild everything in a clean, safe environment again. At this time, we have no evidence that data was compromised, and we credit that to our early actions.”

Delack initially estimated that about 5,000 of its almost 8,000 global customers had been affected by the incident; on Monday, that total was revised down to 3,000 school websites impacted.

Finalsite, with offices in Connecticut and the U.K., provides website, marketing, and communications platforms for schools and universities in 108 countries. It is a portfolio company of Veritas Capital.

Read more about the timeline of the outage and the company’s reaction in our initial report on the ransomware attack.

In a webinar for clients held late Thursday, Finalsite officers emphasized that they take security “extremely seriously and are frequently updating protocols” based upon any best practices and new information.

“The Finalsite security team has strict security measures in place to protect the information in our care, and have worked to add further technical safeguards to our environment,” the transcript reads. “We’ve invested $2.5 million into hosting security and our team monitors our network systems 24 hours a day, seven days a week. As we learn more about this incident, we are taking additional steps to further secure the environment and prevent this type of attack from occurring again.”

Cybersecurity and education officials have recently warned of a significant increase in cyberattacks on schools and universities, and the K–12 Cybersecurity Act of 2021, signed into law in October, directs the Cybersecurity and Infrastructure Security Agency to identify risks and provide resources for schools to better protect their IT security.

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured